CVE-2024-21833

Summary

Multiple TP-LINK products allow a network-adjacent unauthenticated attacker with access to the product to execute arbitrary OS commands. The affected device, with the initial configuration, allows login only from the LAN port or Wi-Fi.

Affected Software

VendorProductVersion RangeStatus
TP-LinkArcher AX3000firmware versions prior to "Archer AX3000(JP)_V1_1.1.2 Build 20231115"affected
TP-LinkArcher AX5400firmware versions prior to "Archer AX5400(JP)_V1_1.1.2 Build 20231115"affected
TP-LinkArcher AXE75firmware versions prior to "Archer AXE75(JP)_V1_231115"affected
TP-LinkDeco X50firmware versions prior to "Deco X50(JP)_V1_1.4.1 Build 20231122"affected
TP-LinkDeco XE200firmware versions prior to "Deco XE200(JP)_V1_1.2.5 Build 20231120"affected

Weaknesses

  • OS command injection

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References